What is the CVSS score of CVE-2026-7556?

CVE-2026-7556 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of FV Flowplayer Video Player are affected by CVE-2026-7556?

The FV Flowplayer Video Player WordPress plugin (versions through 7.5.49.7212) contains a stored cross-site scripting vulnerability enabling attackers to inject persistent malicious code into website…

How to fix or mitigate CVE-2026-7556?

24 hours: Verify plugin installation and check whether 'Parse Vimeo and YouTube links' setting is enabled; review recent comment activity for suspicious content. 7 days: Disable the parse_comments option in plugin settings or deactivate the plugin entirely. 30 days: Monitor vendor advisories for patch availability; evaluate replacement video player solutions; if plugin remains active, implement Web Application Firewall rules to block script injection patterns in comment submissions.

FV Flowplayer Video Player CVE-2026-7556

EUVD-2026-35292 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-06-09 security@wordfence.com

GHSA-qpcq-fxp5-fvp9

XSS WordPress

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 09, 2026 - 03:32 vuln.today

CVE Published

Jun 09, 2026 - 03:16 nvd

HIGH 7.2

DescriptionCVE.org

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered.

Articles & Coverage 2

News 4 New WordPress Vulnerabilities - 4 High Severity Jun 10, 2026 News 4 New WordPress Vulnerabilities - 4 High Severity Jun 09, 2026

AnalysisAI

Stored cross-site scripting in the FV Flowplayer Video Player WordPress plugin (versions through 7.5.49.7212) allows remote attackers to inject persistent JavaScript via the comment text field, which executes in any visitor's browser when the affected page is loaded. The flaw stems from insufficient input sanitization and output escaping in the comment-parsing routine and is reachable only when the non-default 'Parse Vimeo and YouTube links' (parse_comments) option is enabled and an administrator approves the malicious comment. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running vulnerable FV Flowplayer with parse_comments enabled

Delivery

Submit comment containing crafted Vimeo/YouTube-style XSS payload

Exploit

Wait for administrator to approve comment

Execution

Plugin renders unsanitized payload into public page

Persist

Visitor (or admin) browser executes injected script

Impact

Steal session cookies or perform actions as logged-in admin

Access

Identify WordPress site running vulnerable FV Flowplayer with parse_comments enabled

Delivery

Submit comment containing crafted Vimeo/YouTube-style XSS payload

Exploit

Wait for administrator to approve comment

Execution

Plugin renders unsanitized payload into public page

Persist

Visitor (or admin) browser executes injected script

Impact

Steal session cookies or perform actions as logged-in admin

Vulnerability AssessmentAI

Exploitation	Two specific conditions must both hold: (1) the site administrator must have enabled the non-default 'Parse Vimeo and YouTube links' setting (parse_comments) in the FV Flowplayer Video Player plugin, and (2) an administrator must manually approve the attacker's malicious comment before it is rendered to visitors. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2) reflects network-reachable, unauthenticated submission with no user interaction and a changed scope (typical of stored XSS that affects other users' browser sessions), but the impact is bounded to low confidentiality/integrity and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker submits a comment containing a crafted payload disguised as a Vimeo or YouTube link on a post belonging to a WordPress site that uses the FV Flowplayer Video Player plugin with parse_comments enabled. A site administrator, seeing what looks like a normal video-link comment, approves it; the plugin then renders the unsanitized content into the public page, and the injected JavaScript executes in every visitor's browser - including any logged-in admin who later views the page - enabling session hijacking, forced admin actions via CSRF, or redirection to attacker infrastructure.
Remediation	Upgrade the FV Flowplayer Video Player plugin to a release later than 7.5.49.7212; the Trac changeset referenced in the advisory (https://plugins.trac.wordpress.org/changeset?new=3522496%40fv-wordpress-flowplayer%2Ftrunk&old=3478883%40fv-wordpress-flowplayer%2Ftrunk) shows the upstream fix, but a specific tagged patched version is not independently confirmed from the supplied data, so verify the latest version on the WordPress.org plugin page before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Verify plugin installation and check whether 'Parse Vimeo and YouTube links' setting is enabled; review recent comment activity for suspicious content. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL Act Now POC

9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i

CVE-2026-10795 HIGH This Week POC

8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL Act Now

10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

CVE-2026-7556 vulnerability details – vuln.today

Back

FV Flowplayer Video Player CVE-2026-7556

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code